Public key cryptography and PKIs Shortcomings of symmetric key Establishing a pairwise key requires a key exchange, which requires both parties K K to be online Issue #1: Requires pairwise key exchanges
File downloads Email / chat
One-to-many: All-to-all: O(N) key O(N2) key exchanges exchanges Shortcomings of symmetric key Establishing a pairwise key requires a key exchange, which requires both parties K K to be online Issue #2: Parties must be online
Blue user uploads a document, then goes File downloads offline (e.g., forever)
Later, a yellow user wants One-to-many: to get a copy; how can O(N) key it know the copy is really exchanges from the blue user? Shortcomings of symmetric key Establishing a pairwise key requires a key exchange, which requires both parties K K to be online Issue #3: How do you know to whom you’re talking?
Diffie-Hellman is resilient to eavesdropping, but not tampering
vs
K K K1 K1 K2 K2 A protocol that solves this with trust
Trent: A trusted third party
Alice Bob A protocol that solves this with trust
Trent: A trusted third party
KAT KBT Alice Bob
KAT KBT
1. Everybody establishes a pairwise key with Trent Good: O(N) key exchanges A protocol that solves this with trust
Trent: A trusted third party
KAT KBT Alice Bob
KAT KBT
1. Everybody establishes a pairwise key with Trent Good: O(N) key exchanges 2. Trent validates each user’s identity; includes in message Good: Authenticated communication A protocol that solves this with trust
Trent: A trusted third party
E(KAT, msg || to:Bob)
KAT KBT Alice Bob
KAT KBT
1. Everybody establishes a pairwise key with Trent Good: O(N) key exchanges 2. Trent validates each user’s identity; includes in message Good: Authenticated communication A protocol that solves this with trust
Trent: A trusted third party
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT
1. Everybody establishes a pairwise key with Trent Good: O(N) key exchanges 2. Trent validates each user’s identity; includes in message Good: Authenticated communication A protocol that solves this with trust
Trent: A trusted third party
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT
1. Everybody establishes a pairwise key with Trent Good: O(N) key exchanges 2. Trent validates each user’s identity; includes in message Good: Authenticated communication Bad: All messages get sent through Trent What are we trusting Trent not to do? Just as “secure” meant nothing without an attack model, “trusted” means nothing without a trust model
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT What are we trusting Trent not to do? Just as “secure” meant nothing without an attack model, “trusted” means nothing without a trust model
(Oh wow, “msg”!)
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT
1. Do not read messages What are we trusting Trent not to do? Just as “secure” meant nothing without an attack model, “trusted” means nothing without a trust model
E(KAT, msg || to:Bob) E(KBT, msg’ || from:Alice)
KAT KBT Alice Bob
KAT KBT
1. Do not read messages 2. Do not alter messages What are we trusting Trent not to do? Just as “secure” meant nothing without an attack model, “trusted” means nothing without a trust model
…nothing… E(KBT, msg’ || from:Alice)
KAT KBT Alice Bob
KAT KBT
1. Do not read messages 2. Do not alter messages 3. Do not forge messages What are we trusting Trent not to do? Just as “secure” meant nothing without an attack model, “trusted” means nothing without a trust model
E(KAT, msg || to:Bob) ….
KAT KBT Alice Bob
KAT KBT
1. Do not read messages 2. Do not alter messages 3. Do not forge messages 4. Do not go offline Public key encryption A public key encryption scheme comprises three algorithms
Key generation G This is a randomized algorithm • Inputs (nondeterministic output) • Source of randomness • Maximum key length L Difficult to infer SK from PK • Outputs: a key pair Only one person should know SK; • PK = public key PK should be public to all • SK = secret key
PK and SK are intrinsically bound together: for a given PK, there is a single corresponding SK Example: RSA’s public keys are a pair: (exponent, modulus) Public key encryption A public key encryption scheme comprises three algorithms
Encryption E(PK, msg) This is a randomized algorithm • Inputs (vanilla RSA is deterministic; • Public key PK in practice, RSA-PKCS is used • Message msg of instead, which adds a nonce fixed size to the message) • Outputs: a cipher text c same size as msg PK a.k.a. “Encryption key”
Anyone who knows Alice’s PK can encrypt a message to her… Public key encryption A public key encryption scheme comprises three algorithms
Decryption D(SK, c) This is a deterministic algorithm • Inputs Should always return the • Secret key SK original message • Cipher text c • Outputs: original msg
…but only Alice can decrypt that message Public key encryption A public key encryption scheme comprises three algorithms
Correctness Key generation G → PK = public key D(SK, E(PK, m)) = m → SK = secret key Security Encryption E(PK, m) → cipher text c E(PK, m) should appear random (small change to (PK,m) leads to large changes to c) Decryption D(SK, c) → original msg E() should approximate a one-way trapdoor function: cannot invert without access to SK Protocols with public key encryption Goal: deliver a confidential message
Symmetric key
Email / chat
All-to-all: O(N2) key exchanges Protocols with public key encryption Goal: deliver a confidential message
Symmetric key Generate public/private key pair (PK,SK) Email / chat Annouce PK publicly (on website, in newspaper, …)
All-to-all: O(N2) key exchanges Protocols with public key encryption Goal: deliver a confidential message
Symmetric key Generate public/private key pair (PK,SK) Email / chat Annouce PK publicly (on website, in newspaper, …)
Obtain PK
Send c = E(PK, msg)
All-to-all: O(N2) key exchanges Protocols with public key encryption Goal: deliver a confidential message
Symmetric key Generate public/private key pair (PK,SK) Email / chat Annouce PK publicly (on website, in newspaper, …)
Obtain PK
Send c = E(PK, msg)
All-to-all: O(N2) key Decrypt D(SK, c) = msg exchanges Protocols with public key encryption Goal: deliver a confidential message
Symmetric key Generate public/private key pair (PK,SK) Email / chat Annouce PK publicly (on website, in newspaper, …)
Obtain PK
Send c = E(PK, msg)
All-to-all: O(N2) key Decrypt D(SK, c) = msg exchanges O(N) keys in total Overcoming fixed message sizes
Encryption E(PK, msg) • Inputs • Public key PK Like block ciphers, • Message msg of but there are not fixed size “modes” of public • Outputs: a cipher text c key encryption same size as msg Overcoming fixed message sizes
Encryption E(PK, msg) • Inputs • Public key PK Like block ciphers, • Message msg of but there are not fixed size “modes” of public • Outputs: a cipher text c key encryption same size as msg
Public key operations are slooooow! Overcoming fixed message sizes
Encryption E(PK, msg) • Inputs • Public key PK Like block ciphers, • Message msg of but there are not fixed size “modes” of public • Outputs: a cipher text c key encryption same size as msg
Public key operations are slooooow! Symmetric key operations are fast Hybrid encryption Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Compute cmsg = e(K, msg)
Compute cK = E(PK, K) Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Symm key Compute cmsg = e(K, msg)
Public key Compute cK = E(PK, K) Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Symm key Compute cmsg = e(K, msg)
Public key Compute cK = E(PK, K) Now throw away K Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Symm key Compute cmsg = e(K, msg)
Public key Compute cK = E(PK, K) Now throw away K
Send cK || cmsg Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Symm key Compute cmsg = e(K, msg)
Public key Compute cK = E(PK, K) Now throw away K
Send cK || cmsg
Decrypt D(SK, cK) = K
Decrypt d(K, cmsg) = msg Hybrid encryption
Generate public/private key pair (PK,SK); publicize PK
Obtain PK Generate symmetric key K
Symm key Compute cmsg = e(K, msg)
Public key Compute cK = E(PK, K) Now throw away K
Send cK || cmsg
Public key Decrypt D(SK, cK) = K
Decrypt d(K, cmsg) = msg Symm key Hybrid encryption
Obtain PK Generate symmetric key K
Compute cmsg = e(K, msg)
Compute cK = E(PK, K)
Send cK || cmsg
The easy key distribution of public key
The speed and arbitrary message length of symmetric key Protocols with public key cryptography Goal: determine from whom a message came
Symmetric key Ideally, a user (blue) could post a File downloads message (e.g., sensitive documents or a kernel update), and then go offline
And downloaders (yellow) could subsequently infer the message’s authenticity without having to have One-to-many: already established a pairwise O(N) key key with the publisher exchanges Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) • Inputs • Secret key SK • Fixed-length message • Outputs: a signature s Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK • Fixed-length message • Outputs: a signature s Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK SK a.k.a. “Signing key” • Fixed-length message • Outputs: a signature s Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK SK a.k.a. “Signing key” • Fixed-length message Only one person can sign with • Outputs: a signature s a given (PK,SK) pair Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK SK a.k.a. “Signing key” • Fixed-length message Only one person can sign with • Outputs: a signature s a given (PK,SK) pair
Verification function Vfy(PK, m, s) • Inputs • Public key PK • Message and signature • Outputs: Yes/No if valid (m,s) Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK SK a.k.a. “Signing key” • Fixed-length message Only one person can sign with • Outputs: a signature s a given (PK,SK) pair
Verification function Vfy(PK, m, s) Deterministic algorithm • Inputs • Public key PK • Message and signature • Outputs: Yes/No if valid (m,s) Digital signatures A digital signature scheme comprises two algorithms
Signing function Sgn(SK, m) This is a randomized algorithm (nondeterministic output) • Inputs • Secret key SK SK a.k.a. “Signing key” • Fixed-length message Only one person can sign with • Outputs: a signature s a given (PK,SK) pair
Verification function Vfy(PK, m, s) Deterministic algorithm • Inputs • Public key PK Anyone with the PK • Message and signature can verify • Outputs: Yes/No if valid (m,s) Digital signatures A digital signature scheme comprises two algorithms
Signing Sgn(SK, m) Verification Vfy(PK, m, s) → a signature s → Yes/No if valid (m,s)
Correctness Vfy(PK, m, Sgn(SK, m)) = Yes
Security Same as with MACs: even after a chosen plaintext attack, the attacker cannot demonstrate an existential forgery Protocols with digital signatures Goal: determine from whom a message came
Symmetric key Generate public/private File downloads key pair (PK,SK) Annouce PK publicly (on website, in newspaper, …)
One-to-many: O(N) key exchanges Protocols with digital signatures Goal: determine from whom a message came
Symmetric key Generate public/private File downloads key pair (PK,SK) Annouce PK publicly (on website, in newspaper, …)
Compute sig = Sgn(SK, msg)
One-to-many: O(N) key exchanges Protocols with digital signatures Goal: determine from whom a message came
Symmetric key Generate public/private File downloads key pair (PK,SK) Annouce PK publicly (on website, in newspaper, …)
Compute sig = Sgn(SK, msg)
Publish msg || sig One-to-many: O(N) key exchanges Protocols with digital signatures Goal: determine from whom a message came
Symmetric key Generate public/private File downloads key pair (PK,SK) Annouce PK publicly (on website, in newspaper, …)
Compute sig = Sgn(SK, msg)
Publish msg || sig One-to-many: can now go offline! O(N) key exchanges Protocols with digital signatures Goal: determine from whom a message came
Symmetric key Generate public/private File downloads key pair (PK,SK) Annouce PK publicly (on website, in newspaper, …)
Compute sig = Sgn(SK, msg)
Publish msg || sig One-to-many: can now go offline! O(N) key exchanges Obtain PK, msg || sig Vfy(PK, msg, sig) Digital signature properties Digital signature properties
Bob can prove that a message Authenticity signed by Alice is truly from Alice (even without a pairwise key) Digital signature properties
Bob can prove that a message Authenticity signed by Alice is truly from Alice (even without a pairwise key)
Bob can prove that no one has Integrity tampered with a signed message Digital signature properties
Bob can prove that a message Authenticity signed by Alice is truly from Alice (even without a pairwise key)
Bob can prove that no one has Integrity tampered with a signed message
Once Alice signs a message, she Non-repudiation cannot subsequently claim she did not sign that message Do handwritten signatures at the end of a letter have these properties?
Bob can prove that a message Authenticity signed by Alice is truly from Alice (even without a pairwise key)
Bob can prove that no one has Integrity tampered with a signed message
Once Alice signs a message, she Non-repudiation cannot subsequently claim she did not sign that message Do handwritten signatures at the end of a letter have these properties?
Would require unforgeable Authenticity handwritten signatures. This is the one property they sort of get
Bob can prove that no one has Integrity tampered with a signed message
Once Alice signs a message, she Non-repudiation cannot subsequently claim she did not sign that message Do handwritten signatures at the end of a letter have these properties?
Would require unforgeable Authenticity handwritten signatures. This is the one property they sort of get
Would require having a signature Integrity that depended on each part in the body of the letter
Once Alice signs a message, she Non-repudiation cannot subsequently claim she did not sign that message Do handwritten signatures at the end of a letter have these properties?
Would require unforgeable Authenticity handwritten signatures. This is the one property they sort of get
Would require having a signature Integrity that depended on each part in the body of the letter
Would require both of the above Non-repudiation (unforgeable signature that depends on each part of letter) Back to authentication
How can we know it was really who posted PK? Back to authentication
Generate public/private key How can we know it was pair (PK,SK); publicize PK really who posted PK? Back to authentication
Generate public/private key How can we know it was pair (PK,SK); publicize PK really who posted PK?
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT Back to authentication
Generate public/private key How can we know it was pair (PK,SK); publicize PK really who posted PK?
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
KAT KBT Alice Bob
KAT KBT Can we achieve authentication without Trent in the middle of every message? Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
Alice
Bob Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
PKT Alice
Bob PKT Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private PKT key pair and asks Trent to bind her Alice (PKA, SKA) PKA to her identity
Bob PKT Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
Trent vets Alice 2. Alice generates a public/private PKT key pair and asks Trent to bind her Alice (PKA, SKA) PKA to her identity
Bob PKT Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
Trent vets Alice 2. Alice generates a public/private PKT key pair and asks Trent to bind her Alice (PKA, SKA) PKA to her identity
3. Trent signs a message (with SKT):
“The owner of the secret key PKT Bob corresponding to PKA is Alice” Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
Trent vets Alice 2. Alice generates a public/private PKT key pair and asks Trent to bind her Alice (PKA, SKA) PKA to her identity
3. Trent signs a message (with SKT):
“The owner of the secret key PKT Bob corresponding to PKA is Alice” This message + sig = Certificate Authentication with public keys 1. Trent’s public key is widely Trent (PKT, SKT) disseminated (pre-installed in browsers/operating systems)
Trent vets Alice 2. Alice generates a public/private PKT key pair and asks Trent to bind her Alice (PKA, SKA) PKA to her identity
Alice = PKT 3. Trent signs a message (with SKT):
“The owner of the secret key PKT Bob corresponding to PKA is Alice” This message + sig = Certificate Authentication with public keys 4. Alice makes her certificate Trent (PKT, SKT) publicly available (or Bob simply asks for it)
PKT Alice (PKA, SKA) If Bob trusts Trent, then Bob trusts that he knows Alice = PKA Alice’s public key is PKA
Bob PKT Authentication with public keys 4. Alice makes her certificate Trent (PKT, SKT) publicly available (or Bob simply asks for it)
PKT Alice (PKA, SKA) If Bob trusts Trent, then Bob trusts that he knows Alice = PKA Alice’s public key is PKA
Bob PKT Alice = PKA Authentication with public keys 4. Alice makes her certificate Trent (PKT, SKT) publicly available (or Bob simply asks for it)
5. Bob verifies the certificate using PKT PKT Alice (PKA, SKA) If Bob trusts Trent, then Bob trusts that he knows Alice = PKA Alice’s public key is PKA
Bob PKT Alice = PKA Authentication with public keys 4. Alice makes her certificate Trent (PKT, SKT) publicly available (or Bob simply asks for it)
5. Bob verifies the certificate using PKT PKT Alice (PKA, SKA) If Bob trusts Trent, then Bob trusts that he knows Alice = PKA Alice’s public key is PKA
6. Bob (via hybrid encryption) PKT Bob sends a message to Alice Alice = PKA using her public key PKA Authentication with public keys
Trent (PKT, SKT) Properties
Trent vets Alice
PKT Alice (PKA, SKA)
Alice = PKA
Bob PKT Alice = PKA Authentication with public keys
Trent (PKT, SKT) Properties
Trent need be online only Trent vets Alice when giving out certificates, not any time users want to PKT communicate with one another Alice (PKA, SKA)
Alice = PKA
Bob PKT Alice = PKA Authentication with public keys
Trent (PKT, SKT) Properties
Trent need be online only Trent vets Alice when giving out certificates, not any time users want to PKT communicate with one another Alice (PKA, SKA)
Alice = PKA Communication needn’t go through Trent
Bob PKT Alice = PKA Authentication with public keys
Trust assumptions from our Trent (PKT, SKT) symmetric key protocol: 1. Do not read messages Trent vets Alice 2. Do not alter messages 3. Do not forge messages PKT 4. Do not go offline Alice (PKA, SKA)
Alice = PKA
Bob PKT Alice = PKA Authentication with public keys
Trust assumptions from our Trent (PKT, SKT) symmetric key protocol: 1. Do not read messages Trent vets Alice 2. Do not alter messages 3. Do not forge messages PKT 4. Do not go offline Alice (PKA, SKA)
Alice = PKA Trust assumptions in this public key protocol: 1. Correctly vet users Bob PKT (Some more in practice…) Alice = PKA Certificate revocation
3. Trent signs a message (with SKT):
“The owner of the secret key corresponding to PKA is Alice” This message + sig = Certificate
Put another way: “The only person who knows SKA is Alice”
What happens if Alice’s key gets compromised? (Stolen, accidentally revealed, …) Certificate revocation
Trent (PKT, SKT) Please revoke my certificate (ID #3912…)
Alice Certificate revocation
Trent (PKT, SKT) Please revoke Trent signs a message (with SKT): my certificate (ID #3912…) “Certificate ID #3912… is no longer valid, as of April 5, …” Alice Certificate revocation
Trent (PKT, SKT) Please revoke Trent signs a message (with SKT): my certificate (ID #3912…) “Certificate ID #3912… is no longer valid, as of April 5, …” Alice This message + sig = revocation Certificate revocation
Trent (PKT, SKT) Please revoke Trent signs a message (with SKT): my certificate (ID #3912…) “Certificate ID #3912… is no longer valid, as of April 5, …” Alice This message + sig = revocation
Bob obtains revocation information Bob Obtaining revocation data Certificate Revocation Lists (CRLs)
A (often large) signed list of revocations
“Certificate ID #3912… is Trent no longer valid, as of April 5, …” Obtaining revocation data Certificate Revocation Lists (CRLs)
A (often large) signed list of revocations
“Certificate ID #3912… is Trent no longer valid, as of April 5, …”
Browsers and OSes occasionally download CRLs
Bob Obtaining revocation data Certificate Revocation Lists (CRLs)
A (often large) signed list of revocations
“Certificate ID #3912… is Trent no longer valid, as of April 5, …”
Browsers and OSes occasionally download CRLs
Disincentive: CRLs can be large, Bob so it takes time & bandwidth Obtaining revocation data Certificate Revocation Lists (CRLs)
A (often large) signed list of revocations
“Certificate ID #3912… is Trent no longer valid, as of April 5, …”
Browsers and OSes occasionally download CRLs
Disincentive: CRLs can be large, Bob so it takes time & bandwidth
Result: delayed days/weeks/forever Obtaining revocation data Online Certificate Status Protocol (OCSP)
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Bob Trent Obtaining revocation data Online Certificate Status Protocol (OCSP)
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Is certificate ID #3912… still valid? Bob Trent Obtaining revocation data Online Certificate Status Protocol (OCSP)
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Is certificate ID #3912… still valid? Bob Trent
“Certificate ID #3912… is still longer valid, as of April 5, …” SKT Obtaining revocation data Online Certificate Status Protocol (OCSP)
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Is certificate ID #3912… still valid? Bob Trent
“Certificate ID #3912… is still longer valid, as of April 5, …” SKT
Disincentive: Still delays the initial validation of the certificate (can increase webpage load time) Obtaining revocation data OCSP Stapling
Websites issue OCSP requests, include responses in initial handshake
Is certificate ID #3912… still valid? Alice Trent
“Certificate ID #3912… is still longer valid, as of April 5, …” SKT Alice forwards this to Bob along with the certificate when they first start to communicate Certificate revocation responsibilities
Alice’s responsibility: Request revocations
Trent’s responsibility: Make revocations publicly available
Bob’s responsibility: Check for revocations Certificates in the wild The lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate Certificate chain
Subject (who owns the public key)
Common name: the URL of the subject
Issuer (who verified the identity and signed this certificate) Verifying certificates
Browser Certificate “I’m because says so” Verifying certificates
Browser Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Browser Certificate “I’m because I say so!”
Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Browser Certificate “I’m because I say so!”
Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Browser Certificate “I’m because I say so!” Root key store
Every device has one Certificate “I’m because says so” Must not contain malicious certificates
Certificate “I’m because says so” Verifying certificates
Browser Certificate “I’m because I say so!”
Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Browser Certificate ✓ “I’m because I say so!”
Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Certificate ✓ “I’m because I say so!”
Browser Certificate “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Certificate ✓ “I’m because I say so!”
Browser Certificate ✓ “I’m because says so”
Certificate “I’m because says so” Verifying certificates
Certificate ✓ “I’m because I say so!”
Certificate ✓ “I’m because says so”
Browser Certificate “I’m because says so” Verifying certificates
Certificate ✓ “I’m because I say so!”
Certificate ✓ “I’m because says so”
Browser Certificate ✓ “I’m because says so” Serial number: Uniquely identifies this cert with respect to the issuer (look for this in CRLs)
Signature algorithm: How the issuer will sign parts of the cert
Not valid before/after: When to start and stop believing this cert (start & expiration dates)
The public key: And the issuer’s signature of the public key Subject Alternate Names: Other URLs for which this cert should be considered valid. (wellsfargo.com is not the same as www.wellsfargo.com)
Can include wildcards, e.g., *.google.com
CRL & OCSP: Where to go to check if this certificate has been revoked
Non-cryptographic checksums Certificate types Why are these different? Certificate types Why are these different?
This is an EV (extended validation) certificate; browsers show the full name for these kinds of certs Proper reaction to Heartbleed
1. Patch the software
2. “Reissue” a new key (get a new one and load it onto your servers)
3. Revoke the old key Proper reaction to Heartbleed
1. Patch the software
2. “Reissue” a new key (get a new one and load it onto your servers)
3. Revoke the old key
Order matters! If we reissued and then patched, then our new key would be compromised, too. If we revoked first, we’d be offline. Heartbleed
OpenSSL Heartbleed
“hi” 2 OpenSSL Heartbleed
“hi” 2 OpenSSL “hi” Heartbleed
OpenSSL Heartbleed
“hi” 22 OpenSSL Heartbleed
“hi” 22 OpenSSL “hi” +20B from memory
< 216 Heartbleed
“hi” 22 OpenSSL “hi” +20B from memory
< 216
Potentially reveals user data and private keys Heartbleed exploits were undetectable Why study Heartbleed?
Akamai Discovered patched Publicly announced
03/21 04/02 04/07 Why study Heartbleed?
Akamai Discovered patched Publicly announced
03/21 04/02 04/07
Every vulnerable website should have:
1 Patched 2 Revoked 3 Reissued Why study Heartbleed?
Akamai Discovered patched Publicly announced
03/21 04/02 04/07
Every vulnerable website should have:
1 Patched 2 Revoked 3 Reissued
Heartbleed is a natural experiment: How quickly and thoroughly do administrators act? Dataset
Rapid7 data 22M certs (~1/wk for 6mos) Dataset
2.8M certs Alexa Top-1M
Rapid7 filter data CAs 22M certs (~1/wk for 6mos) 9k certs Dataset
2.8M certs Alexa Top-1M
Rapid7 filter Leaf Set data validate CAs 22M certs 628k certs (~1/wk for 6mos) 165k domains 9k certs Dataset
2.8M certs Alexa Top-1M
Rapid7 filter Leaf Set data validate CAs 22M certs 628k certs (~1/wk for 6mos) 165k domains 9k certs
• Download CRLs • Detect vulnerability • Identify Heartbleed-induced reissues & revocations Dataset
2.8M certs Alexa Top-1M
Rapid7 filter Leaf Set data validate CAs 22M certs 628k certs (~1/wk for 6mos) 165k domains 9k certs
• Download CRLs • Detect vulnerability • Identify Heartbleed-induced reissues & revocations Prevalence and patch rates
0.6 WasWas ever ever vulnerable vulnerable 0.5 Still vulnerableStill after vulnerable 3 weeks 0.4 0.3 0.2 0.1 Fraction of Domains
Vulnerable to Heartbleed 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000) Prevalence and patch rates
0.6 WasWas ever ever vulnerable vulnerable 0.5 Still vulnerableStill after vulnerable 3 weeks 0.4 0.3 0.2 0.1 Fraction of Domains
Vulnerable to Heartbleed 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000) Prevalence and patch rates
0.6 WasWas ever ever vulnerable vulnerable 0.5 Still vulnerableStill after vulnerable 3 weeks 0.4 0.3 0.2 0.1 Fraction of Domains
Vulnerable to Heartbleed 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000)
Patching rates are mostly positive Only ~7% had not patched within 3 weeks How quickly were certs revoked?
1200 1000 800 600 400 200
Number of Domains/Day 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date How quickly were certs revoked?
1200 1000 800 600 400 200
Number of Domains/Day 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date
Reaction ramps up quickly How quickly were certs revoked?
1200 1000 800 600 400 200
Number of Domains/Day 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date
Reaction ramps up quickly How quickly were certs revoked?
1200 1000 800 Weekends 600 400 200
Number of Domains/Day 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date
Reaction ramps up quickly Security takes the weekends off Certificate update rates
3 wks 1 0.95 0.9 Not revoked 0.85 0.8 0.75 Not reissued 0.7 0.65 not Revoked/Reissued
Frac. of Vulnerable Certs 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Certificate update rates
3 wks 1 0.95 0.9 Not revoked 0.85 0.8 0.75 Not reissued 0.7 0.65 not Revoked/Reissued
Frac. of Vulnerable Certs 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Certificate update rates
3 wks 1 0.95 0.9 Not revoked 0.85 0.8 0.75 Not reissued 0.7 0.65 not Revoked/Reissued
Frac. of Vulnerable Certs 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Similar pattern to patches: Exponential drop-off, then levels out
After 3 weeks: 13% Revoked 27% Reissued Reissue ⇒ New key?
0.6 0.5 0.4 0.3 0.2
0.1 All reissues Heartbleed-induced reissues 0 Fraction of New Certificates Reissued with the Same Key 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth Reissue ⇒ New key?
0.6 0.5 0.4 0.3 0.2
0.1 All reissues Heartbleed-induced reissues 0 Fraction of New Certificates Reissued with the Same Key 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth Reissue ⇒ New key?
0.6 0.5 0.4 0.3 0.2
0.1 All reissues Heartbleed-induced reissues 0 Fraction of New Certificates Reissued with the Same Key 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth Reissuing the same key is common practice 4.1% Heartbleed-induced The ugly truth of revocations
93% Patched 13% Revoked 27% Reissued
Security is supposed to be a fundamental design goal, but • Administrators trade off security for ease of maintenance/cost • Certificate authorities trade off security for profit Can we wait for expiration?
1
0.8
0.6
CDF 0.4
0.2
0 0 1 2 3 4 5 6 Years of Remaining Validity Can we wait for expiration?
Vulnerable but not revoked 1
0.8
0.6
CDF 0.4
0.2
0 0 1 2 3 4 5 6 Years of Remaining Validity Can we wait for expiration?
Vulnerable but not revoked 1
0.8
0.6 ~40% of vulnerable certs CDF 0.4 will not expire for over 1 year 0.2
0 0 1 2 3 4 5 6 Years of Remaining Validity Can we wait for expiration?
Vulnerable but not revoked 1
0.8
0.6 ~40% of vulnerable certs CDF 0.4 will not expire for over 1 year 0.2
0 0 1 2 3 4 5 6 Years of Remaining Validity
We may be dealing with Heartbleed for years Testing browser behavior
Revocation • Browsers should support all major protocols protocols • CRLs, OCSP, OCSP stapling
Availability of • Browsers should reject certs they cannot check revocation info • E.g., because the OCSP server is down
Chain • Browsers should reject a cert if any on the chain fail lengths • Leaf, intermediate(s), root Testing browser behavior
Revocation • Browsers should support all major protocols protocols • CRLs, OCSP, OCSP stapling
Availability of • Browsers should reject certs they cannot check revocation info • E.g., because the OCSP server is down
Chain • Browsers should reject a cert if any on the chain fail lengths • Leaf, intermediate(s), root
Root
Intermediate … Intermediate
Leaf Testing browser behavior
Revocation • Browsers should support all major protocols protocols • CRLs, OCSP, OCSP stapling
Availability of • Browsers should reject certs they cannot check revocation info • E.g., because the OCSP server is down
Chain • Browsers should reject a cert if any on the chain fail lengths • Leaf, intermediate(s), root
Root signs
Intermediate … Intermediate
Leaf Testing browser behavior
Revocation • Browsers should support all major protocols protocols • CRLs, OCSP, OCSP stapling
Availability of • Browsers should reject certs they cannot check revocation info • E.g., because the OCSP server is down
Chain • Browsers should reject a cert if any on the chain fail lengths • Leaf, intermediate(s), root
Root signs
Intermediate … Intermediate
Leaf Testing browser behavior
Revocation • Browsers should support all major protocols protocols • CRLs, OCSP, OCSP stapling
Availability of • Browsers should reject certs they cannot check revocation info • E.g., because the OCSP server is down
Chain • Browsers should reject a cert if any on the chain fail lengths • Leaf, intermediate(s), root
Root signs
Intermediate … Intermediate
Leaf Results across all browsers
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win. Results across all browsers
Chrome
Generally, only checks for EV certs ~3% of all certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win. Results across all browsers
Firefox
Never checks CRLs Only checks intermediates for EV certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win. Results across all browsers
Safari
Checks CRLs and OCSP
Allows if revocation info unavailable Except for first intermediate, for CRLs
Does not support OCSP stapling
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win. Results across all browsers
Internet Explorer
Checks CRLs and OCSP
Often rejects if revocation info unavailable Pops up alert for leaf in IE 10+
Supports OCSP stapling
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win. Results across all browsers
Mobile Browsers
Uniformly never check
Android browsers request Staple …and promptly ignore it
✔ Passes test ev Passes for EV certs a Pops up alert to user ✗ Fails test i Ignores OCSP Staple l/w Passes on Linux/Win.